Limit the sources to any user input not sanitized or filetered out

[Sim4n6]

Newbie question here.

How do you limit the number of sources in the predicate isSource ?
I'm looking for the sources that are not filtered or sanitized. is there a way to select only those inputs?

[aibaars]

You can override the isSanitizer predicate of a DataFlow/TaintTracking Configuration. This does not directly limit the isSource predicate but instead block any flow paths that go through the sanitizer node. If all paths from a source pass through a sanitizer then the source then this has the effect of "eliminating" the source from any results reported by CodeQL.

A great write-up by someone who was once a newbie too explains their experience learning CodeQL and touch on many of the important concepts in the QL libraries: https://jorgectf.github.io/blog/post/practical-codeql-introduction/#sanitizers

For more information see the docs: https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll/type.TaintTrackingImpl$Configuration.html